APTs vs. AVTs? Cutting Through the Hype

Last month, security company Mandiant released a major report that revealed several organized cybercrime groups in China are actively trying to hack into U.S. entities. This report caused widespread attention due to the fact that this is the first time there has been direct evidence – attribution if you will – against the Chinese that they are responsible for what will likely become a very heated cyber war at some point.

The Chinese attacks that Mandiant found are commonly known as “Advanced Persistent Threats” or APTs, and these threats have been around for years. While, yes, APTs have successfully allowed other countries to steal U.S. intellectual property for cyber espionage, the security community has been battling these threats for quite some time. In the meantime, while our attention has been diverted towards APT1-style attacks, a more sophisticated and dangerous attack vector has emerged and will likely become more and more commonplace among cyber criminals: the Advanced Volatile Threat or AVT.

Unlike APTs that create a pathway into the system and then automatically execute every time you reboot, an AVT comes in, exfiltrates the data it is looking for and then immediately wipes its “hands” clean – leaving no trace behind as the computer is shut down.  An AVT executes within the volatile memory of a computer, which means that once it is turned off, the AVT is gone.  It’s important to note that all malware STARTS in the memory, but it doesn’t stay there. AVTs take what they need from the memory and get out once the computer shuts down and before anyone even knows they were there – they don’t install themselves on the hard drive.

These “in-memory” attacks have been done for years, but what’s happening now is that attackers are getting more sophisticated and looking for creative ways to beat current defenses. In-memory attacks are a great way to do that, because most signature or behavior-based tools won’t detect them.  Based on our own research at Triumfant and what we’re seeing with our customers, we believe that over time, the use of AVTs will increase as the preferred attack vector among very intelligent and diligent cyber criminals. Each time they want to run an AVT attack, the cyber criminals have to get creative and find a new way to re-enter the system with an exploit. APTs, like the ones Mandiant identified, are already in the system and stay in the system, and oftentimes leave telltale fingerprints behind.

Given the level of sophistication involved, AVTs are often executed by state run cyber criminals (as opposed to clumsy hackers) specifically to make sure they remain under the radar and are completely undetectable. Everything about the AVT shouts out “real time” – you have to be able to catch it in the act, red handed. If you don’t catch it in real-time, you’ve already lost, unlike an APT that could take weeks or months to execute.

We’re well aware that the security community has raised their eyebrows at AVTs – mainly because most pen testers and the like already know about these types of attacks in memory and there are some tools out there that address these. To be clear, we’re not saying AVTs are new. The problem is that up until this point, the industry as a whole has not been very good at detecting attacks in the memory. Since the cyber criminals are always 10 steps ahead of us, we know that they are constantly looking for creative ways to defeat our best defenses.  When APTs are no longer successful because our defenses have actually improved to better detect them, we firmly believe AVTs will take the limelight and be the root cause of cyber espionage and other damaging threats in the future.

Simply put, you’ve been warned.

Till next time,

John Prisco, President & CEO

Why Security Technology Continues To Fail – And How We Can Stop The Cycle: Part 2

In our last post we addressed the fundamental failure of signature-based technologies, but an effective solution is tangible.

There is a slew of new technology emerging on the market that promises to solve the “signature problem,” but the truth is that some of them don’t fix the problem at all. The following are a few tips and observations to help you and your organization evaluate the available solutions, and choose the ones that will best defend.

1. Current signature-based security technologies are increasingly failing to stop malware. Evaluating the target of current technologies is a key first step in determining whether they will work for your enterprise. Many of our modern signature-based technologies are primarily geared toward consumer nuisance attacks, not addressing targeted malware attacks. These targeted attacks are engineered by an adversary with a specific end goal in mind. Classic “throw malware in a machine and hope it sticks” attacks are leaving targeted attacks with a wide-open door. Countless signature-based security technologies leave no way for a signature to exist – if a signature must be created, it will likely arrive too late to confront the problem. Cyber criminals have specific targets. Now it’s our job as security pros to do the same.

 2. Older vendors and technologies are being re-cast as solutions – but are no better at stopping the problem. Signature-based security tools look at millions of signatures – but signatures have to be written before technology can determine how they’re increasing, and how to stop them. With cloud computing, older vendors are recasting solutions that neglect new platforms. Cloud-based signature repositories are offering more of the same — an inelegant solution to the problem. Remember, all you need to miss is one piece of malware, and your system has been compromised. Many security companies aren’t selling this “one and done” mentality because they worry that their product can’t effectively fight off every attack – and with good reason. Even with wonderful, sophisticated databases, criminals can come up with one exploit that can bypass a network.

 3. Technologies that detect specific types of behavior and system changes have the best chance to actually find and eradicate next-generation threats. Although behavior detection strategies are seemingly up and coming, focusing solely on behavior changes can make a system rapidly vulnerable. Products that look at the intelligence of an attack do have the capability to find zero-day exploits – they send up a red flag you wouldn’t expect in detection systems that are solely anomaly-based. Combining behavior detection with anomaly based detection and removal is a vital, necessary strategy.

 4.  Companies and government agencies can build a new strategy that not only warns about new threats, but actually helps prevents them. Although complete prevention is unattainable, companies and government agencies need to focus on detecting AND removing the threat. Most products on the market focus on the detecting side and omit removal, leaving systems open to exploitation. Taking measures on both the network and the endpoint fronts is crucial if you don’t want to leave your systems exposed. The network is the easy part. Endpoint removal is the challenge, and the key.

The sophistication of today’s malware calls for a fundamental shift in the way anti-malware technology detects and remediates against new threats – and in the way people and processes respond. As long as technology and people continue to rely on what they know – such as signatures – they will continue to be defeated by what they don’t know, such as polymorphic malware. And as long as that trend continues, the tide of new breaches and infections will continue to rise.

It’s time for real change in security thinking, both at the technology level and at the process level. And if we don’t take action soon, 2013 is likely to be the worst year of malware yet.

Till the next post,

John Prisco, CEO

Why Security Technology Continues To Fail – And How We Can Stop The Cycle: Part 1


In 2012, as in previous years, commercial industry and government agencies spent record numbers of dollars on information security. Yet in 2012, as in previous years, the issue of breaches and malware infections grew more acute than in any year before.

Just look at the numbers. The most recent Verizon Data Breach Investigations Report indicates that breaches involving hacking and malware were both up considerably last year, with hacking involved in 81 percent of incidents and malware involved in 69 percent. According to the Ponemon Institute’s Cost of a Data Breach Report, malicious attacks on enterprise data rose last year, and the cost of a breach is at an all-time high ($222 per lost record). According to figures posted last month by Panda Labs, more than 6 million new malware samples were detected in the third quarter alone — and more than a third of machines across the globe are already infected.

So what does this tell us? Security technology is fundamentally failing. And we, as an industry, need to take action.

One of the chief reasons for this failure is our continued reliance on signature-based anti-malware technologies, such as traditional antivirus and intrusion prevention systems. Such systems block malware by blacklisting it – an approach that works only when the malware has been recognized and its “signature” is recorded in memory. Today’s sophisticated malware avoids this defense by constantly changing, morphing into new “zero-day” exploits that have not been detected or recorded.

Over the past month, several news organizations have once again pointed out the flaws in signature-based technologies, but even these reports are largely missing some fundamental points. A recent piece in the New York Times, for example, discusses the failure of antivirus software to stop next-generation malware. But, antivirus software imperfections have been known for years, and the Times did very little to advance the discussion of actual solutions.

Dark Reading on Dec. 27 took a more current view of the problem, discussing the flaws in today’s “layered” antimalware defenses. This article points out the flaws in today’s signature-reliant enterprise security strategies, but again, it fails to deliver much depth on how to solve the problem.

The fact is that signature-based technologies such as AV and IPS – still the cornerstones of many enterprise security strategies – are actually getting *worse* at preventing malware infections. A study published last month by Imperva indicates that the initial rate of detection of new viruses by AV solutions was less than 5 percent. While AV vendors took issue with the methods of this study, the substance of the findings is clear: signature-based solutions are failing at record rates.

With compliance regulations drowning our enterprise security professionals, proactive threat management falls to the way side and new technology solutions continue to neglect the data right in front of our eyes. End the failed attempt and address the real issues. How will you protect your corporate network?

In our next post we’ll discuss how we, as security practitioners can implement technology that truly combats the constant cyber threat cycle.

Till next time,

John Prisco, CEO

The American Airlines Phishing Attack – Front Row Seat to the Psychology of an Attack

Today I came face to face with the phishing attack and was able to watch firsthand as the attack worked on the human element of IT security.  This morning I contacted by a friend who had received an email that confirmed the purchase of a flight on American Airlines.   The friend was now convinced that a credit card had been compromised and that immediate steps were necessary.

Savvy IT security guy that I am, I immediately smelled a rat and asked that my friend (who lives close by) bring the PC with the email to me.  After all, I did not want potentially malicious stuff on my machine.

Sure enough, everything about the email spoke of fraud.  The appearance and format of the email was not even close to looking like a professional email from a large company that does lots of business online.  The email address was suspect, and having been on an airplane or two (or a thousand), I noted that the flight number was not even close to the American Airlines flight numbering system.  Lastly, there was the ubiquitous .zip file attached, just waiting to be clicked.  An example fo the email can be found on the American Web site here.

What was an interesting study was the reaction of my friend to all of this.  I have had a credit card stolen so I knew it was not the end of the world.  I also knew that the credit card companies actually handle fraud pretty well, so every second did not really count.  My friend was very nervous about the credit card being used to buy all manner of unseemly things all the while laying waste to credit ratings.

But most of all, I noted that the .zip file hung like a ball of yarn in front of an over-caffeinated kitten.  My friend so wanted to click on that file.  The psychological pull was palatable.

I walked my friend through the process of recognizing such an attack, and went to the American Airlines web page to demonstrate that the flight number on the email did not exist.  In fact, it was a digit longer than the field on the site for the flight number status.  Next I listened as my friend called American, and then the credit card company.  Both verified that no transaction had occurred and that this was part of a wide reaching scheme.  The American agent actually spent a lot of time walking my friend through the phishing concept at a high level an provided steps on how to dispose of the email without releasing the malware.  I was impressed.

I had several takeaways from the experience.  First, while the attack seemed amateurish and hackneyed to me, I was taken by how quickly my friend swallowed the hook and was quickly prepared to react.  The simple psychology involved was brutally effective, and I saw why such attacks succeed.  If a wide enough net is cast, someone will react the way the bad guys want.

Second, it reinforced the critical nature of the human element in IT security.  My friend is bright, educated, and computer savvy.  Yet that same person immediately and kinetically reacted to what was a cut-rate phishing attack.  People will always be the X-factor in IT security whether it be opening .zip files, shutting off their AV software, or gleefully inserting USB devices from any and every source.

Lastly, the experience screamed for the need for Rapid Detection and Response, because in spite of shields and protections the human factor can be leveraged to bypass or evade those protections.  Stuff gets through, and in front of me was a simple example of how.

I have to go, I just received another email from another friend who says he just got a confirmation for a flight to Atlanta he did not buy.  Seriously.

USB Drives – Cool Tool or Malware Delivery Device

Behold the USB drive. Simple. Functional. Efficient. The USB device is also a symbol of all that makes IT security so difficult. But take heart, because the USB device is also illustrative of the functions and benefits of Triumfant.

Why does the USB key represent the difficulties with IT security? Because a USB device
is an infiltration and exfiltration method wrapped into one tidy package. The bad guys are using USB devices to deliver malicious payload to host machines because this vector readily evades perimeter network defenses that use techniques like deep packet inspection and sandboxing. Unfortunately, techniques require that the attack come across the wire to work, so the attacks delivered by a USB device easily fly under their radar. The USB device has become a very effective mechanism for delivering the targeted and sophisticated zero day attacks and advanced persistent threats that are becoming increasingly difficult to detect.For an example, start with Stuxnet, the malicious attack that grabbed more headlines than a Britney Spears midnight trip for a haircut. Stuxnet evaded protection by using USB drives for transport to the host machines from which the attack spawned.

In regards to exfiltration, there is no simpler tool for offloading data than a USB device. While this has great utility, it is a major problem in the context of data loss prevention (DLP) activities, as once data is loaded onto a device there is absolutely no control of where that data may land. All bets are off.

You would think that USB devices would be the bane of every IT security person on the planet, yet security vendors give them away at industry tradeshows. Most people will pop in a USB key with little thought of the risk, so a “just say no” approach is not effective. Our CTO was at a customer recently and was told that USB devices were not allowed at the site. Minutes later he produced a report that showed that USB devices had been used in over 20% of the machines in the past two weeks. So much for strongly worded guidelines.

The problems surrounding USB devices are useful in pointing out the value of Triumfant:

Malware detection and remediation. Triumfant will detect attacks that are delivered to a machine via a USB device, analyze the attack, and build a remediation to stop the attack and repair all of the damage to the machine. Infection to remediation in minutes. Remember, Triumfant detects attacks by identifying and analyzing changes to the machine, and is therefore attack vector agnostic.

Continuous enforcement of policies and configurations. With Triumfant you can build and enforce policies that disables the use of removable media like USB devices. Triumfant will set the policy and remediate any machine found to be out of compliance.

Continuous monitoring/situational awareness. Your organization may choose to not disable USB devices. Triumfant can provide information about what machines have had a USB device inserted and can identify machines with unusually high levels of data movement. Alternately, if you do disable the devices you may also have users with Admin rights to their machines, enabling them to change the configuration of the machine to override the policies. Triumfant can provide information about what machines have had a USB device inserted and identify those machines where the policy has been altered. Triumfant is not a data loss prevention (DLP) tool and therefore cannot tell you what, if any, data was exfiltrated, but we can tell you that such an exfiltration was possible.

In summary, Triumfant is able to protect machines from attacks delivered by USB devices,
is able to enforce configurations that disable the use of USB devices, and provide insight into usage patterns of USB devices.

If only Triumfant could help me find the numerous USB devices my teenagers borrow and never return. Of course, once they have them, perhaps it is best I don’t plug them into my machine.

The Readers Speak! – Top 10 Posts for 2010

The Triumfant blog has been up and running for two years now and I am always flattered that anyone would take time from their day to read a post.  As we end the year, I thought I would post a list of the top 10 posts for the year, as determined by the number of views.

Advanced Persistent Threat: Solution – No, Effective Detection – Yes

This post is about how Triumfant uses its unique approach – change detection and contextual analysis to see the attacks characterized by the Advanced Persistent Threat.

Antivirus Detection Rates – Undetected Attacks Are Still Attacks

This is one of my favorites and addresses a critical concept – the reporting from your current defenses will obviously not tell you what attacks are getting through.  The see no evil approach does not mean that you are not getting attacked.

Antivirus Detection Rates – It is Clear You Need a Plan B

There are any number of reports and studies that clearly show that AV detection rates are bad and getting worse.  So what are organizations doing about that fact (if anything)?

Tired of the Term Advanced Persistent Threat – How About Cold Harsh Reality?

This post followed a spirited exchange in the blogosphere and twitterverse about the term Advanced Persistent Threat and whether APT is more about the adversary or the attacks.  This post was my entry into the conversation.

Intel Acquires McAfee, IBM Acquires BigFix – What Does It Mean to You?

2010 was a tumultuous year for the security industry and these two acquisitions are at the front of that tumult.  This post is my take on what these acquisitions mean and what happens to smaller companies when subsumed by larger ones.

Antivirus Detection Rates Study Shows the Real Exposure to Your Organization

Another post that follows yet another study on AV detection rates.  The goal was simple: there are lots of these reports and studies published, but very little pragmatic assessment about what that means in regards to risks for the organization.

Triumfant and Operation Aurora – Detecting the Advanced Persistent Threat

Remember back before Stuxnet?  When Operation Aurora hit, I got lots of inquiries of whether Triumfant would have detected the attack.  Because none of our customers were hit by the attack, our CTO Dave hooks broke down all of the data on Aurora and created this in depth case study.

Oh the Animals You Will See at the RSA Zoo (Conference)

This was written as a bit of a joke but reflects my many years of exhibiting at the RSA show.  It was one of those posts that sounded good when written, but gives pause before you post because of the fear that it will be funny to no one else but you.  I was pleased with the spirit in which it was received.

Security Configuration Management – Plugging the Holes in Your Endpoint Security

This post dug into the concepts of security configuration management in depth and provided a pragmatic conversation about the approach of Triumfant that includes our normative baseline and our automated remediation capabilities.

The Yin and Yang of Triumfant – Agent Based Precision With Network Level Analytical Context

This very recent post grabbed a significant quantity of views faster than just about any post.  The post discusses the ability of Triumfant to deliver agent level precision with the power and context of server based analysis.

So there you have the top ten as voted by you, the readers.  Thank you for reading and the feedback you provide.  Have a great holiday and a Happy New Year.

Triumfant Implements SCAP / Trusted Network Connect

Today Triumfant was part of a broader announcement by the Trusted Computing Group (TCG) about the integration of the Trusted Network Connect (TNC) security specifications with the Security Content Automation Protocol (SCAP) from National Institute of Standards and Technology (NIST).  Triumfant was listed in the press release as having implemented the TNC/SCAP integration in collaboration with Juniper Networks and we demonstrated this capability for the past two days at the NIST IT Security Automation Conference at the Baltimore Convention center.

Let me pause for an acronym break and level set.  The Trusted  Computing Group is a not-for-profit organization that promotes open, vendor-neutral, industry standards for trusted computing by helping define standard and specifications for sharing information across multiple computing platforms.  Triumfant is a member of TCG.

TCG’s Trusted Network Connect (TNC) architecture is a standards-based framework for Network Access Control (NAC) that bases network access decisions on security state information.  The objective of the TNC architecture is to deny network access to endpoints that do not meet certain minimum security criteria or are found to be corrupted or under malicious attack.  The TNC architecture may invoke NAC operations to place machines in quarantine to prevent further infection.

It may sound elemental, but implementing TNC implies that an organization must have some common minimum security criteria to apply, which surprisingly is not always the case.  This is where the integration with SCAP was so natural, as SCAP provides a standard set of criteria that is well defined and readily applicable to the TNC process.  Triumfant’s specific and unique methods for monitoring SCAP criteria made our implementation an even tighter fit, as Triumfant maintains a central repository of SCAP compliance data that can be readily accessed to verify minimum compliance.

Triumfant worked with the good folks at Juniper Networks to build the current TNC/SCAP implementation and was able to code the software necessary to make the process work using the TNC framework from TCG and SDK’s from Juniper.  I will skip the execution details, but you can get all of the information you require through our TNC white paper and our TNC Fact Sheet or from our TNC web page.

From my side, the entire TNC process just makes sense.  Machines have to meet some minimum standard to connect and if they don’t, then they have to be brought into compliance.  Since drift happens, the machine must be periodically checked to ensure that is still in the proper compliant state to stay connected.  If a machine is not compliant or is under attack, it must be remediated quickly and with minimal human intervention to restore the machine and therefore its ability to connect.  All of this needs to be done transparently and without any undo intrusion on the endpoint.  The TNC/SCAP implementation from Triumfant and Juniper does just that.

In short, the TNC implementation checks the minimum security criteria at log-in and at regular intervals while the machine is connected to the network.  If the compliance assessment fails, the NAC is triggered to take some form of action, normally moving the machine to a remediation network.  Here the compliance problems can be addressed and the compliance assessment process executed again, with the goal of moving the machine back to the primary network when the assessment is positive.

Triumfant was an early adopter of SCAP and the SCAP standards are fully integrated into our processing.  Triumfant provides policies for the SCAP configuration standards and executes those policies as an optional part of our daily processing.  Implementing the TNC/SCAP integration simply requires that the administrator chose what SCAP criteria are to be used as the criteria set for connection.  Triumfant performs continuous monitoring of the SCAP policies and stores the actual results of the SCAP policies in the server repository, so it is possible to check a machine’s compliance status without having to do a lengthy scan of the machine on-demand.  This capability provides the TNC/SCAP implementation the ability to check compliance at log-in without creating long delays while the security criteria is verified.

A critical differentiator of Triumfant has always been our unique ability to build as situational remediation to fix the problems we find, both non-compliance and malware.  This capability aligns perfectly with the TNC process of remediating the problem and restoring the affected machine.  Triumfant builds the appropriate remediation to address the detected problems, after which the compliance assessment can be executed to verify that the machine may be returned to the primary network.

Of course, the Triumfant TNC implementation is not limited to SCAP criteria.  Any security configuration policy defined to Triumfant may be applied.  That being said, the integration of TNC with SCAP is just one of those hand-in-glove combinations that makes too much sense.  Furthermore, the TNC process can also be triggered if Triumfant detects malware on the machine, and in fact, our demonstration implementation shows that capability. This helps protect your network when we detect an attack that gets past your traditional shields (which of course they do).

It is always fulfilling to participate in activities like the TNC implementation because it provides a practical and visual illustration of the capabilities of Triumfant.  It has also been a pleasure to work with the folks at TCG and with the team at Juniper, specifically Steve Hannah who is a distinguished engineer with Juniper and a very active member of the TCG.